The Forcepoint V-Series Content Gateway DSM for JSA supports events for web content from several Forcepoint TRITON solutions, including Web Security, Web Security Gateway, Web Security Gateway Anywhere, and V-Series appliances.
Forcepoint TRITON collects and streams event information to JSA by using the Forcepoint Multiplexer component. Before you configure JSA, you must configure the Forcepoint TRITON solution to provide LEEF formatted syslog events.
Before you can configure Forcepoint TRITON Web Security solutions to forward events to JSA, you must ensure that your deployment contains a Forcepoint Multiplexer.
The Forcepoint Multiplexer is supported on Windows, Linux, and on Forcepoint V-Series appliances.
To configure a Forcepoint Multiplexer on a Forcepoint Triton or V-Series appliance:
- Install an instance of Forcepoint Multiplexer for each
Forcepoint Policy Server component in your network.
For Microsoft Windows - To install the Forcepoint Multiplexer on Windows, use the TRITON Unified Installer. The Triton Unified Installer is available for download at http://www.myforcepoint.com.
For Linux - To install the Forcepoint Multiplexer on Linux, use the Web Security Linux Installer. The Web Security Linux Installer is available for download at http://www.myforcepoint.com.
For information on adding a Forcepoint Multiplexer to software installations, see your Forcepoint Security Information Event Management (SIEM) Solutions documentation.
- Enable the Forcepoint Multiplexer on a V-Series appliance
that is configured as a full policy source or user directory and filtering
Log in to your Forcepoint TRITON Web Security Console or V-Series appliance.
- From the Appliance Manager, select Administration >Toolbox >Command Line Utility.
- Click the Forcepoint Web Security tab.
- From the Command list, select multiplexer, then use the enable command.
- Repeat Forcepoint TRITON and Forcepoint TRITON to
enable one Multiplexer instance for each Policy Server instance in
If more than one Multiplexer is installed for a Policy Server, only the last installed instance of the Forcepoint Multiplexer is used. The configuration for each Forcepoint Multiplexer instance is stored by its Policy Server.
You can now configure your Forcepoint TRITON appliance to forward syslog events in LEEF format to JSA.
Configuring Syslog for Forcepoint TRITON
To collect events, you must configure syslog forwarding for Forcepoint TRITON.
- Log in to your Forcepoint TRITON Web Security Console.
- On the Settings tab, select General >SIEM Integration.
- Select the Enable SIEM integration for this Policy Server check box.
- In the IP address or hostname field, type the IP address of your JSA.
- In the Port field, type 514.
- From the Transport protocol list, select either
the TCP or UDP protocol option.
JSA supports syslog events for TCP and UDP protocols on port 514.
- From the SIEM format list, select syslog/LEEF (JSA)
- Click OK to cache any changes.
- Click Deploy to update your Forcepoint TRITON
security components or V-Series appliances.
The Forcepoint Multiplexer connects to Forcepoint Filtering Service and ensures that event log information is provided to JSA.
Configuring a Log Source for Forcepoint TRITON
JSA automatically discovers and creates a log source for syslog events in LEEF format from Forcepoint TRITON and V-Series appliances.
The configuration steps for creating a log source are optional.
- Log in to JSA.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for your log source.
- In the Log Source Description field, type a description for the log source.
- From the Log Source Type list, select Forcepoint V Series.
Forcepoint TRITON uses the Forcepoint V Series Content Gateway DSM for parsing events. When you manually add a log source to JSA for Forcepoint TRITON, you should select Forcepoint V Series.
- From the Protocol Configuration list, select Syslog.
- Configure the following values:
Table 1: Syslog Parameters
Log Source Identifier
Type the IP address or host name for the log source as an identifier for events from Forcepoint TRITON or V-Series appliance.
- Click Save.
- On the Admin tab, click Deploy Changes.
The log source is added to JSA.